More than once a month, I get asked if there is a way to implement Multi Factor Authentication on cloud based Linux VM’s without having to buy tokens and implement proprietary services.

There are a couple of Open Source MFA solutions available and for the ease of installation and use I choose to use Google Authenticator.

This tutorial contains configuration instructions for both Debian and Redhat based Linux distributions and are written for the current versions.

What is Google Authenticator and how does it work?

Google Authenticator is an alternative to SMS for 2Step verification, installing an app on Android / IOS where the codes will be sent. It supports both the HOTP and TOTP algorithms for generating one-time passwords.

With HOTP, the server and client share a secret value and a counter, which are used to compute a one time password independently on both sides. Whenever a password is generated and used, the counter is incremented on both sides, allowing the server and client to remain in sync.

TOTP essentially uses the same algorithm as HOTP with one major difference. The counter used in TOTP is replaced by the current time. The client and server remain in sync as long as the system times remain the same. This can be done by using the Network Time protocol.

The secret key (as well as the counter in the case of HOTP) has to be communicated to both the server and the client at some point in time. In the case of Google Authenticator, this is done in the form of a QRCode encoded URI. See: KeyUriFormat for more information.

How do I install Google Authenticator?

The installation contains of 5 steps:

STEP 1: Install the Client on a mobile device.

First the Google Authenticator app has to be installed on a mobile device:
Android: Get the latest version here, directly from Google Play.
IOS: Get the latest version here, directly from the App Store.
Windows: There is no GA app, but a compatible app can be obtained here, from the Microsoft App store

STEP 2: Install the service on your Linux machine.

Debian based:

You will install all dependencies like NTP automatically using the -y switch

sudo apt-get -y install libpam-google-authenticator

RHEL based:

First we need to install the development tools so we have a compiler, and the libraries we need. To do that we’ll use yum to install the “Development Tools” group

sudo yum -y groupinstall "Development Tools"

Now we need to install the pam development package

sudo yum -y install pam-devel

We setup and enable ntp so we can make sure our time is correct. Since we will be using a time based sync.